Privacy Policy

Effective Date: August 31, 2025

At neuroaide, Inc. and its affiliates ("Company," "we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your Personal Information and Client Data, as defined below. 

This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you ("User," "you," or "your") use neuroaide ("Service"). This policy should be read in conjunction with our Terms of Service (“Terms”) and our Business Associate Agreement (“BAA”), which is incorporated into the Terms.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy and our Terms, which are hereby incorporated by reference.

1. Our Role Under HIPAA: As a provider of services to healthcare professionals, neuroaide acts as a "Business Associate" under the Health Insurance Portability and Accountability Act ("HIPAA"). This means we are legally obligated to protect the privacy and security of any Protected Health Information ("PHI") we receive, create, maintain, or transmit on your behalf. Our responsibilities are detailed in the BAA, which governs our handling of all PHI.
   
   
2. User Consent and Preferences

2.1 Consent Mechanisms: By using our Service and by clicking the "I acknowledge and agree" checkbox during the signup process, you consent to the collection and use of your Personal Information and Client Data as described below in this Privacy Policy.

2.2 Preference Management: Currently, we do not provide tools or settings for users to manage their privacy preferences. However, you can modify your Personal Information or request its deletion by contacting our support team at support@neuroaide.ai.

3. Information We Collect and How We Collect It

3.1 User Information: We collect personal information that you provide directly to us when you create an account or interact with the Service, including:

(a) email address;

(b) first name; 

(c) last name; and 

(d) organization or company you work for (collectively “Personal Information”).

3.2 Client Data: You retain ownership of all data, including assessment scores, rating scale scores, and qualitative observations and notes about your clients (“Client Data”), that you input into the Service. Client Data may include PHI, as defined under HIPAA. We collect and process Client Data to provide the Service to you in accordance with our Terms and BAA.  

3.3 Automatically Collected Data: We do NOT automatically collect Personal Information such as browser types or browsing behavior through cookies or other tracking technologies. However, we may use local storage on your device to deliver the Service and enhance your user experience. Local storage may be used to store session information and user preferences to facilitate seamless navigation and operation of the Service. We may collect basic usage data, such as login times, features used, and interaction patterns, to improve the Service and enhance your user experience. This data is collected without using cookies or third-party tracking technologies.

3.4 Information Collected on Our Public Marketing Website: Our public marketing website (hosted by HubSpot) uses cookies, pixel tags, and similar tracking technologies to help us analyze website traffic, measure the effectiveness of our advertising campaigns, and deliver targeted ads to you on third-party websites. The information collected may include your IP address, browser type, pages visited, and other browsing behavior. This information is used for our marketing purposes and is not linked to your account or any Client Data within the secure Service.

3.5 Secure Service: To protect the confidentiality of Client Data, the secure, logged-in portion of our Service does not use third-party advertising cookies or tracking pixels. We do, however, use local storage and essential authentication tokens on your device, which are necessary to provide the core functionality of the Service, maintain your logged-in state, and enhance your user experience. We also temporarily cache Client Data in your browser's local storage as part of our auto-save feature to prevent data loss from inadvertent page refreshes or connectivity issues. This data resides on your local device and is cleared periodically.

3.6 Data Minimization: We adhere to the principle of data minimization, collecting only the information necessary to provide and improve our Service. We regularly review our data collection practices to ensure we're not collecting unnecessary information.

3.7 Direct Collection: We collect information directly from you when you:

(a) create an account;

(b) input Client Data; or

(c) communicate with us via email or other channels.

3.8 Third-Party Sources: We use HubSpot for email delivery services for marketing communications and notifications related to the Service. HubSpot may collect certain information necessary to send you emails, and collect information about your interactions with our emails, such as open rates and click-through rates, to help us improve our communications.

4. How We Use Your Information

4.1 Service Provision: We use the information you provide to:

(a) deliver the Service and enhance your user experience;

(b) analyze and generate draft reports; or

(c) improve the quality of our report outputs.

4.2 Communication: By providing your information when signing up for the Service, submitting a lead form, or otherwise engaging with us, you consent to receive marketing communications, such as newsletters, product updates, and event invitations. You may opt out of these communications at any time as described in Section 7.3. We use your contact information to:

(a) send service-related announcements and updates; 

(b) respond to your inquiries and provide customer support; or

(c) send marketing communications.

4.3 Analytics and Improvement: We may use de-identified and aggregate data to:

(a) enhance and optimize the Service;

(b) conduct research and development; or 

(c) analyze trends and usage patterns. 

Any de-identification is performed by us in accordance with the HIPAA de-identification standard at 45 C.F.R. § 164.514(b) as described in our BAA.

4.4 Legal Compliance: We may use your information to comply with applicable laws, regulations, legal processes, or governmental requests, and to meet our obligations under HIPAA and our BAA with you.

5. Sharing of Information

5.1 Third-Party Service Providers and Subcontractors: To provide our Services, we engage various third-party service providers. These service providers are contractually obligated to use data solely for the purpose of providing the specified service to us and are prohibited from using the data for their own purposes. We formally distinguish between providers based on their access to PHI: 

(a) Subcontractors: These are providers who create, receive, maintain, or transmit PHI on our behalf to deliver core aspects of our Service. A complete list of our Subcontractors is maintained in Exhibit A of our Business Associate Agreement (BAA). We have signed a HIPAA-compliant BAA with each Subcontractor that requires them to protect your PHI to the same high standards that we do.

(b) Other Third-Party Service Providers: We may also use providers for services that do not involve PHI (“OTPSP”), such as email delivery for marketing and service notifications. These providers do not have access to PHI and are not considered Subcontractors under HIPAA.

5.2 Sharing Data: We may share your Personal Information and Client Data with OTPSPs and Subcontractors who assist us in operating the Service and conducting our business, including:

(a) Aptible: Hosting, data storage, and retrieval

(b) Datadog: Data log storage and retrieval

(c) Dropbox: Data storage and retrieval

(d) HubSpot: Email delivery services

(e) OpenAI: AI processing services (all data sent to OpenAI is processed in accordance with the BAA we have in place with them, which prohibits data retention and use for model training).

5.3 Legal Requirements: We may disclose your Personal Information or Client Data if Required by Law or in response to valid requests by public authorities (e.g., courts or government agencies).

5.4 Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your Personal Information and Client Data may be transferred to the acquiring entity.

6. Data Security, Storage, and Retention

6.1 Security Measures: We protect your Personal Information and Client Data using reasonable and appropriate administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule. These include encryption, secure servers, firewalls, and access controls.

6.2 Data Storage Location: All data is stored on secure servers located in the United States.

6.3 Data Breach Policies and Regulatory Notification: In the event of a data breach that compromises your Personal Information or Unsecured PHI, as defined in HIPAA, we will notify affected users via email. For Unsecured PHI, we will notify you in accordance with our obligations under the BAA, which requires notification without unreasonable delay and in no case later than five (5) business days after discovery. For Personal Information, we will notify you as required by applicable law. We will coordinate with relevant authorities and comply with all legal obligations, including timely notifications and cooperation during investigations.

6.4 Retention Period: Upon termination of the Terms, we will return or securely destroy all PHI in our possession and will not retain any copies, in accordance with our BAA. You acknowledge that this destruction process is permanent and irreversible. We may retain PHI in encrypted backups for disaster recovery and business continuity purposes in compliance with HIPAA’s Security Rule, provided that such PHI is not accessed or used unless required for those purposes. The process will be initiated upon termination and may take up to 180 days to be completed to ensure the removal of PHI from all production, disaster recovery, and backup systems. If return or destruction is not feasible (for example, where PHI exists only in encrypted back-ups), we will extend the protections of the BAA to the information and limit further uses and disclosures to those purposes that make the return or destruction infeasible for as long as we maintain it. This obligation shall not apply to any data that has been de-identified or to PHI that has been processed through a subcontractor’s HIPAA-compliant workflow. Any data that is not PHI will be handled in accordance with our standard data retention policies.

6.5 Retention of Personal Information: We will retain your Personal Information for as long as your account is active. Following the termination of your account, we will retain your Personal Information for a period of five (5) years for legitimate business purposes, including to comply with our legal obligations (such as for tax and accounting purposes), resolve disputes, and enforce our agreements.

7. User Rights and Responsibilities

7.1 Access and Correction: You may request access to or correction of your Personal Information by contacting us at support@neuroaide.ai.

7.2 Deletion Requests: You may request the closure of your account and deletion of your Personal Information by contacting us at support@neuroaide.ai. Deletion of Client Data containing PHI is governed by the termination provisions in our BAA.

7.3 Opt-Out Options: You may opt-out of receiving marketing communications by following the unsubscribe instructions included in such emails. Please note that you cannot opt-out of service-related communications necessary for the operation of your account.

7.4 Account Security: You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. Please do not share your username or password with anyone.

7.5 Third-Party Links: The secure, logged-in portion of our Service does not contain links to third-party websites. Our public marketing website may include third-party links that are outside the secure Service.

8. Compliance and Regulatory Matters

8.1 GDPR and CCPA: Our Service is not offered to individuals in the European Economic Area (“EEA”) and is not subject to the General Data Protection Regulation (“GDPR”). We currently do not meet the thresholds that would require compliance with the California Consumer Privacy Act (“CCPA”). We are committed to complying with all applicable privacy laws and regulations as our operations expand and as these laws evolve.

8.2 Ongoing Compliance Efforts and Privacy Impact Assessments: We regularly review and update our practices to ensure ongoing compliance with applicable laws and regulations. This includes conducting periodic internal audits and privacy impact assessments, including audits of Client Data, to ensure compliance with our privacy policies and applicable laws. These assessments are conducted internally under strict confidentiality protocols.

10. International Data Transfers: Our Service is intended for users within the United States, and all data is processed and stored domestically. We do not transfer your Personal Information internationally.
    
    
11. Children's Privacy: Our Service is not intended for use by individuals under the age of 13. We do not knowingly collect Personal Information from children. If you become aware that a child has provided us with Personal Information, please contact us immediately at support@neuroaide.ai.
    
    
12. Changes to the Privacy Policy: We reserve the right to update or modify this Privacy Policy at any time. We will notify you via email of any significant changes at least thirty (30) days before they take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.
    
    
13. Contact Information: If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: support@neuroaide.ai.

Thank you for choosing neuroaide. We are committed to providing you with a valuable tool to reduce the time and mental burden associated with writing neuropsychological and psychoeducational reports.